Privacy Policy

Last updated: March 16, 2026

1. Introduction

onUI ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services.

onUI is a platform that provides AI-powered features to web applications, including AI chat assistants, page generation, and report building. Our customers integrate these features into their own applications or use them directly through our dashboard.

This policy applies to our customers (organizations and individuals who use our platform) and to end-users who interact with AI features embedded in our customers' applications. If you are an end-user interacting with an AI feature powered by onUI within a third-party application, that application's operator is responsible for providing you with their own privacy notice. This policy describes how onUI handles data as a service provider.

Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the Service.

2. Information We Collect

2.1 Personal Information

We collect information that you provide directly to us, including:

  • Account information (name, email address, password)
  • Profile information
  • Payment information (processed securely through third-party payment processors)
  • Communications you send to us

2.2 Usage Data

We automatically collect certain information about your device and how you interact with our Service:

  • Log data (IP address, browser type, pages visited, time spent)
  • Device information (device type, operating system)
  • Usage statistics (features used, API calls made)
  • Error logs and diagnostic data

2.3 Integration Data

To integrate onUI features into your application, we collect configuration metadata about your app via our CLI tool or manual data entry. This includes:

  • Public API routes and endpoints
  • Design tokens and theming information
  • UI component definitions
  • Application route structure

Note: We only collect public-facing metadata necessary for the integration to function. We do not access, store, or process your source code, proprietary business logic, or credentials.

2.4 API Keys and Credentials

onUI does not provide AI model access. You provide your own third-party API keys (OpenAI, Anthropic, Google, etc.) to use AI features. When you provide these keys:

  • Keys are encrypted using AES-256-GCM encryption before storage
  • Keys are only decrypted when needed to make API calls on your behalf
  • We never share your API keys with any third parties except the respective providers
  • Data sent to AI providers is governed by your own agreement with those providers

2.5 Chat and AI-Generated Content

When you use AI features through the Service, we store:

  • Chat conversations and AI responses
  • AI-generated pages and UI components
  • Reports and report layouts

This data is stored persistently so you can access your full history. It is used solely to provide the Service to you.

2.6 Knowledge Base Data

onUI builds knowledge bases gradually through AI-powered interactions about your application's intent, data, and requirements. This information is processed into embeddings to power AI features. Knowledge base data is not uploaded by you directly — it is derived from your interactions with the Service.

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our Service
  • Process your transactions and send related information
  • Send you technical notices, updates, and support messages
  • Respond to your comments and questions
  • Detect, prevent, and address technical issues and security threats

We may use anonymized and aggregated profiling and metadata (such as usage patterns and feature adoption) for product improvement purposes. We do not use your actual content — including chat messages, reports, generated pages, or knowledge base data — for any purpose other than providing the Service to you.

4. Information Sharing and Disclosure

4.1 Third-Party Service Providers

We may share your information with third-party service providers who perform services on our behalf:

  • AI providers (OpenAI, Anthropic, Google) - requests are made using your own API keys and governed by your agreement with those providers
  • Authentication services (Supabase Auth) - for user authentication and account management
  • Hosting and infrastructure providers (Vercel, Supabase)
  • Payment processors

4.2 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency).

4.3 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your information is transferred.

5. Data Security

We implement appropriate technical and organizational measures to protect your personal information:

  • Encryption of data in transit (TLS/SSL)
  • Encryption of sensitive data at rest (AES-256-GCM for API keys)
  • Regular security assessments and updates
  • Access controls and authentication
  • Secure development practices

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

6. Data Retention

Your content (chat messages, reports, generated pages, knowledge base data) is stored persistently for as long as your account is active, so you can access your full history.

When you request account deletion, we will provide you with the opportunity to export your data before deletion. Your personal information and content will be deleted or anonymized within 30 days of your request, unless we are required to retain it for legal or regulatory purposes.

If your account is terminated by OnUI (e.g., for a violation of our Terms of Service or Acceptable Use Policy), your data will be deleted immediately upon termination.

7. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), we process your personal data under the following legal bases:

  • Contractual necessity: Processing required to provide you with our Service (account management, AI features, integration data)
  • Legitimate interest: Processing for security, fraud prevention, and service improvement, where these interests are not overridden by your rights
  • Legal obligation: Processing required to comply with applicable laws
  • Consent: Where we rely on your consent, you may withdraw it at any time by contacting us

When onUI processes data on behalf of a customer (as a data processor), the customer is the data controller and determines the legal basis for processing. We process such data only in accordance with the customer's instructions and our Data Processing Agreement (DPA), available upon request.

8. Your Rights

8.1 Rights Under GDPR (EEA Residents)

If you are in the EEA, you have the following rights:

  • Access: Request access to your personal information
  • Correction: Request correction of inaccurate information
  • Deletion: Request deletion of your information
  • Portability: Request a copy of your data in a portable format
  • Restriction: Request restriction of processing of your information
  • Objection: Object to processing of your information
  • Withdraw Consent: Withdraw consent where processing is based on consent

You also have the right to lodge a complaint with your local data protection supervisory authority.

8.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know: Request the categories and specific pieces of personal information we have collected about you
  • Right to Delete: Request deletion of your personal information
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out: We do not sell or share your personal information for cross-context behavioral advertising
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise any of these rights, please contact us at privacy@onui.ai. We will respond within the timeframes required by applicable law.

9. Cookies and Tracking Technologies

We use only essential cookies required for the Service to function, such as authentication session cookies. We do not currently use any third-party analytics or tracking tools.

If we introduce analytics or tracking technologies in the future, we will update this policy and implement appropriate consent mechanisms where required by law.

10. Children's Privacy

Our Service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us.

11. Data Residency and International Transfers

Your data is stored in the European Union (EU West region). We do not transfer your data outside of the EU for storage or processing, except where necessary to provide the Service (e.g., when AI requests are sent to third-party providers using your own API keys, which may process data in other regions according to their own policies).

12. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. You are advised to review this Privacy Policy periodically for any changes.

13. Contact Us

If you have questions about this Privacy Policy, please contact us:

Email: privacy@onui.ai
Data Protection Officer: dpo@onui.ai
Website: https://onui.ai